The work started by definining an initial set of use case with the user requirements. In parallel we performed a SotA analysis, identifying key technologies and defined the initial Technical Requirements. Based on these outcomes, the Initial High Level Architecture was outlined along with the user types and user journeys.
With these achievements we started working on assessment tools within WP3. These tools include Static Code Analysers and Formal Verification Methods, such as SASTer, a bundle of static analysis tools tailored for Python and C/C++, leveraging ML to identify security issues, CodeBERT, a transformer-based language model adapted to code, to enhance vulnerability detection, SAVE-ME, to identify vulnerabilities in Erlang code, DetectEr which is a runtime verification tool for Erlang, and IVEE, the Intelligent Vulnerabilities Exposure Engine, using symbolic execution to provide a thorough assessment of software components. Also, we researched and developed RAISE, a comprehensive API fuzzing tool to include an ML model to optimize fuzzing efficiency and precision, and EvoMaster an API fuzzer tool that can automatically generate system level test cases for web and enterprise applications. Also the Dynamic Hardware Analyzer to perform side channel leakage assessment on cryptographic IP Cores, SafeFetch, a detection and protection system for kernel double-fetch bugs, InSpecter Gadget that uses symbolic execution to reason about exploitability of usable gadgets for transient execution attacks is developed and FATex to analyze embedded firmware. Also the Static and Dynamic Supply Chain Guarantee (SSCG & DSCG) generators to develop the necessary portions of the Trusted BOM (TBOM). Also in parallel, in RESCALE, we conducted a thorough and detailed analysis of the current state of the art of existing BOM formats, and selected CycloneDX. Using CycloneDX as the BOM speficication language for the TBOM, we designed and specified the structure of the TBOM, detailing its fields, formats, and functionalities. To provide additional security assurances after a TBOM has been generated we have incorporated the Continuous Security Assurance Platform, which monitors existing TBOMs and potential new vulnerabilities reported into CVE and CWE databases in order to generate new vulnerability alerts and notify TBOM users. Also to provide security and trust mechanisms for authenticity and accountability of TBOM Information, we selected Hyperledger BESU out of a number of various potential blockchain frameworks, and implemented smart contracts for storing and retrieving TBOMs in the blockchain. Once all these modules and technologies were at an MVP level of maturity, we started integrating them and developing the Trust Orchestrator and the TBOM validator along with the RESCALE dashboard in order to create the first RESCALE MVP implementation. Meanwhile we identified how the pilots were going to start experimenting with RESCALE platform and the static and dynamic analysis modules using CI/CD techniques and performed some initial validation and evaluation of the current RESCALE platform and existing modules.